Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

This is the advisory page for Service Provider V3 releases. For older V2 SP advisories, refer to the V2 SecurityAdvisories page.

This page provides access to the complete history of Security Advisories released for the Shibboleth V3 Service Provider and an "at a glance" table showing you which releases are vulnerable to what kinds of issues. If you're running a particular version, you can use this table to identify the issues that could affect your system and determine how urgent an upgrade is. In addition to the announce mailing list, you can "watch" this page for changes to keep abreast.

You can determine the exact version you're running based on the shibd.log during startup.

If you would like to report an issue you believe is security related, you can do any of the following:

As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time

This page only covers advisories affecting the V3 Service Provider software. Other advisories are not listed here, but you can find the complete set of advisories in this directory.

Obviously not all vulnerabilities are created equal, and the classifications in the matrices are general in nature, and are meant to point you to the relevant advisories to look into.

A particular version will typically be implicated by any advisories noted for it and for any newer versions above it in the tables.

Advisories noted for "All" versions should be reviewed by all deployers for relevancy to their deployment. Typically this indicates that an advisory is at least partly discussing issues that go beyond the scope of what the Shibboleth software can actually remediate and may affect the deployment as a whole. It does not in general refer to unfixed vulnerabilities in the Shibboleth software itself.

Service Provider Vulnerability Matrix

The oldest SP 3 version unaffected by fixable vulnerabilities is 3.0.3 used with xml-security-c >= 2.0.1

VersionEOLUser Data ExposureResource ExposureSession HijackingDenial of ServiceRemote ExploitAdvisories

2018-08-03, 2018-01-23, 2014-04-09, 2011-10-24


3.0.2Dec 2018

3.0.1Aug 2018XX
3.0.0Jul 2018


Advisory List


Shibboleth SP software crashes on malformed date/time content

SP < 3.0.3moderate

Shibboleth SP software crashes on malformed KeyInfo content

SP w/ libxml-security-c < 2.0.1high
2018-01-23Implications of ROBOT TLS vulnerabilityAllhigh
2014-04-09OpenSSL "Heartbleed" vulnerability

SP or IDP w/ OpenSSL 1.0.1 - 1.0.1f

very high


2011-10-24Use of XML Encryption Vulnerable to Chosen Ciphertext AttacksSP and IdP, all versionsmoderate

  • No labels